CVE-2026-28367 HIGH

CVE-2026-28367: Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator

Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform 8.1
Weakness CWE-444
Published March 27, 2026
Last update June 10, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
June 10, 2026 Record updated

Related vulnerabilities

04Related CVE